I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

TEL2813/IS2820 Security Management

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

Cyber security Cost • Operating Cost • Expenditure that will benefit a single period’s operations (one fiscal year) • E.g., cost of patching software to correct breaches in the fiscal year • Capital Investment • Expenditure that will benefit for several periods (Appears in balance sheet) • E.g., purchase of an IDS system (+ personnel cost) • Expect to work at least next few years

Cyber security Cost • Capital investments lose their economic values • Portion of the investment that has been lost during a particular period is charged to that period • In practice, • the distinction is not straightforward • Some argue • Most Cyber security expenditure are operating costs • However, they have spill over effect – hence could be treated as capital investment Middle ground!!

Cyber security Cost : In practice • Most org. treat cyber security expenditure as Operating costs • Accounting and tax rules allow/motivate • By expensing these costs in the year of expenditure, tax savings are realized immediately • Distinction is good (recommended) • From planning perspective • A good approach • View all as capital investments with varying time horizons • OC becomes a special case of CI

Cost (C) vs. Benefit (B) • Assume • B and C can be assessed for different level of cyber security activities • Organization’s goals should be • Implement security procedures up to the point where (B-C) is maximum • Implementing beyond that point means • The incremental costs > the incremental benefits • Net benefit beyond that maximum point is negative

Cost (C) vs. Benefit (B) • Cost-Benefit principle • Keep increasing security activities as long as the incremental benefits exceed their incremental costs • If security activities can be increased in small amounts • Such activities should be set at the point where the incremental (cost = benefit)

Net Present Value Model • C and B can be quantified in terms of Net Present Value (NPV) • NPV • Financial tool for comparting anticipated benefits and costs voer different time periods • Good way to put CBA into practice

Net Present Value Model • To compute NPV, • First discount all anticipated benefits and costs to today’s value or present value (PV) • NPV = PV – Initial cost of the project • Key aspect of NPV model • Compare the discounted cash flows associated with the future benefits and costs to the initial cost of an investment • All costs are in monetary unit

Net Present Value Model • NPV model is most easily considered in terms of incremental investments • Realistic situation is • Some level of security is already in place (e.g., basic firewalls, access controls) • It can be used to compare the incremental costs with incremental benefits associated with increases in SA • Co: • Cost of initial investment • Btand Ct: • anticipated benefits and costs, resp., in time period t from the additional security activities • k: • Discount rate, which is usually considered an organization’s cost of capital • It indicates the minimum rate a project needs to earn in order that the organization’s value will not be reduced

Must-do Projects • Some SA are required by law and hence must be done • Irrespective of IRR/NVP • Example • HIPAA compliance requirements • Safeguards must be in place to provide authorized access to patient information • Many outsource SA

Example 1 • Organization wants a new IDS • Initial investment is $200,000 • Beginning of the first period • Expected to have a two-year useful life • Annual increment benefits generated from the investment is estimated = $400,000 • Annual incremental operating cost for the system is estimated to be $100,000. • Discount rate: 15%

Example 2 • Initial investment is $280,000 • Beginning of the first period • Expected to have a two-year useful life • Annual increment benefits generated from the investment is estimated = $400,000 • Annual incremental operating cost for the system is estimated to be $100,000. • Discount rate: 15%

Return on Investment • ROI is essentially • Last period’s annual profits divided by • cost of the investment required to generate the profit • ROI viewed as • Historical measure of performance used for evaluating past investments • NPV & IRR • Performance measures used to make decisions about potential new investments • Unlike IRR, ROI technically does not consider time value of money

Return on Investment • ROIs for the two examples • Example 1: 300K/200K * 100% = 150% • Example 2: 300K/280K * 100% = 107% • ROI assumes that • The investment will continue to produce returns of $300 for year 2, 3, 4 & beyond • Dramatically overstates the economic rate of return. • The more that the returns persist, the better the ROI is an approximation of the IRR • If 300K net benefit could go on forever, the ROI = IRR • Survey shows, • Many managers are using ROI acronyms to represent IRR